GDPR Updates: Right to Erasure

New Year’s resolutions aren’t for everyone, but I think most of us like the idea of a restart, the sense that slates can be wiped clean (to an extent), and that a departure from one’s current path is possible. This notion of a fresh start takes on a higher level of significance in the digital era. These days, many of us have a substantial online presence that lives both in public-facing platforms like Facebook or Twitter and in the private databases of our service providers, and I think we all feel entitled to some level of control over our personal digital histories. The right to erasure, as outlined in the GDPR, is meant to give individuals this control.

What is the Right to Erasure?

Article 17 of the GDPR outlines the data subject’s right to erasure, also known as the right to be forgotten. It gives each data subject the right to request that a controller erase the subject’s personal data. It also requires the controller to comply with any such request “without undue delay” as long as one of six specific legal grounds applies. On top of this, it states that in cases where the controller has made personal data public, the controller must reach out to any other controller who is processing the data and inform them about the request for erasure so that the appropriate steps can be taken. Finally, Article 17 lays out several exceptions where the right to erasure does not apply. These include instances when processing of data is necessary for “exercising the right of freedom of expression and information,” for “compliance with a legal obligation,” or for “the establishment, exercise or defense of legal claims.”

Legal grounds for processing data

If you think back to our post about obtaining consent, you’ll recall that the GDPR gives several legal bases for using personal data. The two that most commonly apply to the domain registration world are when the processing is necessary for the fulfillment of a contract, and when the data subject consents to the processing. Our Registration Agreement outlines exactly what data is required in order to register a domain, so the data elements included there are what are required to fulfill the contract. Any extra data that someone chooses to provide, such as a phone number to be used as a backup authentication method, would be processed under the legal basis of consent.

What data falls under the right to be forgotten?

“The right to be forgotten” is not as straightforward as the phrase’s catchy nature might imply. While a data subject can place a request to a controller to have their data erased, the request is only legitimate under certain legal grounds. I’ll lay these out and then narrow our focus to what they mean for OpenSRS (and very likely, for you!).

These legal grounds include:

The data is no longer needed for the purpose for which it was originally collected,

The processing is based on consent and the data subject withdraws that consent,

The data subject exercises their right to object under Article 21 of the GDPR,

Processing is not lawful (there was no legal basis in the first place),

The controller is subject to a legal obligation that requires the erasure of the data,

Some things related to children’s rights, which don’t apply since we don’t sell domains to children.

For OpenSRS’ purposes, data that is processed based on consent is subject to the right to erasure — the data subject can withdraw their consent, the controller must erase this data, and, if the data has been made public, notify other controllers or processors to do so as well. OpenSRS also uses data that is processed based on a contract and is not subject to the right to erasure; a request to erase would not apply to those data elements. In these cases, erasing the data would require terminating the contract. Even then, there are other legal obligations around data retention that may come into play, such as regional laws that require data to be stored for certain time periods.

How can the right to erasure be exercised?

Article 7 of the GDPR lays out how consent works as a legal basis for data processing, and also requires that consent may be withdrawn at any time, specifically stating that “It shall be as easy to withdraw as to give consent.” We’re fulfilling this requirement by ensuring that the consent management landing page remains available and easily accessible to each data subject to whom we provide services. On this page, a subject can view the existing consent settings and also change or withdraw consent. A withdrawal request will trigger a process on our side to find and delete any data that is held based on consent. Data that is required by contract, however, would remain intact. This gives the data subject complete control over the use of their personal data, while also ensuring that the domain registration itself is not interrupted unnecessarily.

Looking ahead

The opportunity for a fresh start provided by the GDPR’s right to erasure is a year-round thing, not confined to the first of January. But now, with the glitter from New Year’s parties still stuck in our carpets, it might be a good time to think about how you’re preparing to provide this option to your clients. In our own development process, our mantra has been “it must be as easy to withdraw consent as it is to give it, and when erasure is requested, it must be completed ‘without undue delay’.” Work with your legal team to determine which of the data elements you collect are subject to the right to be forgotten, and develop a process to fulfill those requests promptly and completely. Giving your clients easy access to a “fresh start” will certainly require some development work on your end, but it’s an opportunity to employ some great UX and reassure them that you take the principles of transparency and privacy seriously.